So earlier this week I was have user issues connecting to our shares on a particular server. Posted here and many folks tried to help. In the end I found a deny445 rule enabled in my firewall on that server, once it was disabled everything went back to working and to tell the truth I had not had time to find a root cause for this.

Now today another server pops up not letting users access and BAM! it has two deny445 rules enabled in its firewall. I of course disabled them but and lost as to how they are getting there. I was hoping this has been seen before and someone can help me.

Still fighting this issue but short story is the eternal blue exploit was part of this issue. The site has (before I came) various manufacturing machines that are running ancient OS's, un-patched, not secured etc.. and those happen to have normal network access (before me again) and the exploits was adding the denyy445 vrule, dumping all kinds of .exe files on the C: drive, all kinds of different tasks on the task scheduler, various .ps1 scripts to try and grab credentials and some other small stuff.. it has been a harrowing week and a half to say the least and I'm still finding issues and trying to squash them. So many needed fixes...

Anyway moral of this story is you do not have a firewall blocking traffic to your antiquated equipment you better get one.